Orion Office REIT Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Orion Office REIT Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:25:55 EST.

Filings

10-K filed on 2024-02-27

Orion Office REIT Inc. filed an 10-K at 2024-02-27 16:25:55 EST
Accession Number: 0001873923-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company s board of directors is responsible for the Company s cyber risk oversight. The Company has established a risk committee (the Risk Committee ) comprised of members of senior management whose responsibilities include 23 Table of Contents identifying, assessing, and managing enterprise-level and material risks to the Company, including strategic, financial, credit, market, liquidity, security, property, information technology ( IT ), cyber, legal, regulatory, and reputational risks. As described in greater detail below, the Risk Committee also assesses and makes the final determination as to whether a cybersecurity incident is material. The Risk Committee is comprised of members of the Company s senior management, who have managed and overseen cybersecurity risk at numerous public companies. The Company s head of IT has overseen cybersecurity strategy, cybersecurity risk management, engineering of security technology, managed security service providers, processes and governance at other publicly traded companies and holds industry-standard certifications with respect to cybersecurity risk management. Company management, including members of the Risk Committee, provides regular updates to the board of directors regarding material matters with respect to the Company, including cyber matters. These updates include quarterly updates to the board with respect to material cyber events and an annual cybersecurity program overview covering cybersecurity strategy, assessment, risks, notable events and governance. The Company also conducts an annual enterprise risk assessment through which it identifies and assesses material risks to the Company, including both cyber and non-cyber risks. This assessment is reviewed and discussed with the board of directors. The Company has developed policies and procedures with regard to cyber incident responses which policies and procedures are based on key components of the National Institute of Standards and Technology Cybersecurity Framework, together with other best practices. Since completion of the Separation and Distribution, the Company has not had any risks of cybersecurity threats or cybersecurity incidents that have materially affected or, to the Company s knowledge, are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, if such a material cybersecurity incident is identified or were to occur, Company management would report it to the board of directors immediately. The Company s IT department is responsible for day-to-day management of potential cybersecurity risks. As part of its management of cybersecurity risks, the IT department conducts regular cybersecurity training of the Company s employees, which includes an annual training given to all employees and internal contractors, targeted trainings for employees and internal contractors with specific roles within the Company and simulated cyber threats, including phishing exercises that spoof common and novel tactics used by threat actors. The IT department, through the Company s head of IT, provides regular updates and reports to the Company s executive officers and the Risk Committee regarding cybersecurity threats, risks from such threats, strategies and recommendations to mitigate risk from such threats, cybersecurity incidents that have occurred, industry updates, and policy and process recommendations. The Company s executive officers and the Risk Committee provide guidance and approval of such items to ensure that such risks are mitigated and in line with the Company s overall risk management systems and processes. If the Company s IT department identifies a cybersecurity incident, the IT department assesses such incident and its materiality. If the IT department makes a preliminary determination that a cybersecurity incident may be material, the IT department brings the incident to the attention of the Risk Committee . The Risk Committee then continues its assessment and makes the final determination whether the cybersecurity incident is material. The IT department, the Risk Committee , and any necessary third parties, including managed security service providers, forensic investigators, and internal and external auditors, collaborate in the response and management with respect to cyber incidents. The Company utilizes an independent external firm that provides services to detect cybersecurity risks and makes recommendations to the Company regarding ways the Company can better protect itself from threats and improve internal processes based on cyber threats and risks that are impacting other companies. Additionally, as part of its processes for assessing, identifying and managing risks from cybersecurity threats, the Company intends to periodically conduct maturity and other external cybersecurity assessments to evaluate its cybersecurity maturity and enhance its cybersecurity capabilities. The Company s auditors also perform annual inquiries and risk assessments into cybersecurity practices and potential incidents. The Company has processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers. Such processes include evaluating service providers to ensure coverage of key cybersecurity risks have appropriate mitigations. The Company also monitors for threats impacting key service providers and assesses identified threats for potential impacts to services, data, and systems. 24 Table of Contents

Company Information